In traditional IT security, one of the worst things that can happen to you is that you lose your data in a cyber breach. But the stakes are much higher in the industrial realm. “The Equifax hack was bad,” said Ray Komar, VP of Technical Alliances, Tenable in an interview at the Gartner Symposium in Barcelona. “But imagine an Equifax corollary in the physical world.” Cyberattacks on critical infrastructure could injure workers and potentially harm the public and disrupt the economy.
While the topic of critical infrastructure protection is receiving increasing scrutiny, many industrial organizations have still not addressed fundamental security threats, explained Leo Simonovich, vice president and global head, industrial cyber and digital security at Siemens. For that reason, Siemens has teamed up with Tenable to help energy, utilities and oil and gas companies address cyber risks. “The thing that is interesting about [operational technology] OT security is that just getting a grasp on the basics is hard,” Simonvich said. “You have to understand the protocols. You often have to work with legacy systems and aging infrastructure that often has digital bolted on.” Even discovering what is on the industrial network can be a challenge.
The attack surface for industrial organizations also tends to be much larger than for strictly IT environments. While IT security professionals are often tasked with securing a corporate office, securing the complete an OT environment is much more vast. “You have to secure the edge, the control room and the enterprise network,” Simonovich explained. On top of all of that, there is the need to secure the traditional IT network, which has a growing amount of connectivity to the operational environment. The convergence of IT and OT is this perfect storm. “You no longer have a castle with a moat,” Simonovich added. “You have to have a holistic layered defense to be effective.”
It is tricky to maintain a 360-degree view of security when there is a considerable skills shortage in the cybersecurity space or to even convey the risk to workers. “For instance, it is often a real challenge to ask the guys with hard hats on to focus on cybersecurity,” Komar said. Getting buy-in from executives and business leaders can also be vexing. “Security has struggled with the classic paradox,” Komar said. “If you do security really well, guess what happens: Nothing. So how do you go justify that spend with an ROI to a CEO?” The fact that there is often a dearth of cybersecurity actuarial data to enable risk-informed spending decisions is another challenge.
Another point of confusion is the rising number of cybersecurity vendors, many offering similar-sounding technologies marketed as veritable silver bullets for cybersecurity risks. “I think there is a ton of noise in the market,” Simonvich said. “Everybody uses the same buzzwords like artificial intelligence. It is hard to figure out what is real.”
“This industry has been rife with what I call the shiny object syndrome,” Komar said. “It is all about: Show me the coolest new widget to help with my security problems. We got away from the fundamentals.”
Komar provided a non-security example to make his point: “There are a bunch of magic pills in the market that supposedly help you burn fat, lose weight and make you feel great. But you are probably better off by eating right and doing your pushups on a consistent basis.”
Siemens and Tenable are hoping that the pendulum will swing back towards emphasizing the importance of fundamental security practices rather than focusing on a singular promising technology.
While a good number of large companies have fundamental security protocols in place, many small- to medium-sized firms don’t. “If you look at where the weakest link is today [in industrial cybersecurity], it is often with small to medium companies,” Simonovich said. “We just did a study with the Ponemon Institute that looked at the maturity of companies. A total of 70% of them had a low to medium maturity. A lot of those companies are still dealing with fundamentals.”
It is true that technologies like artificial intelligence and Blockchain hold real promise for critical infrastructure protection, but, in the end, “it is not about a single piece of technology,” Simonovich concluded. “It is about combining different building blocks together. You take care of the basics, and then you add technologies like cyber asset management and artificial intelligence on top.”